MidnightBSD

Advisories for inter7

CVE-2000-0091 HIGH

Buffer overflow in vchkpw/vpopmail POP authentication package allows remote attackers to gain root privileges via a long username or password.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
inter7 vpopmail vchkpw_3.4.11
inter7 vpopmail vchkpw_3.4.5
inter7 vpopmail vchkpw_3.4.8
inter7 vpopmail vchkpw_3.4.4
inter7 vpopmail vchkpw_3.4.6
inter7 vpopmail vchkpw_3.4.2
inter7 vpopmail vchkpw_3.4.3
inter7 vpopmail vchkpw_3.4.9
inter7 vpopmail vchkpw_3.4.7
inter7 vpopmail vchkpw_3.4.1
CVE-2000-0583 MEDIUM

vchkpw program in vpopmail before version 4.8 does not properly cleanse an untrusted format string used in a call to syslog, which allows remote attackers to cause a denial of service via a USER or PASS command that contains arbitrary formatting directives.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
inter7 vpopmail_vchkpw 4.5
inter7 vpopmail_vchkpw 4.7
CVE-2001-0990 MEDIUM

Inter7 vpopmail 4.10.35 and earlier, when using the MySQL module, compiles authentication information in cleartext into the libvpopmail.a library, which allows local users to obtain the MySQL username and password by inspecting the vpopmail programs that use the library.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
inter7 vpopmail 3.4.5
inter7 vpopmail 3.4.6
inter7 vpopmail 3.4.10
inter7 vpopmail 4.9.10
inter7 vpopmail 3.4.7
inter7 vpopmail 4.5
inter7 vpopmail 3.4.4
inter7 vpopmail 3.4.2
inter7 vpopmail 3.4.11e
inter7 vpopmail 3.4.1
inter7 vpopmail 3.4.3
inter7 vpopmail 4.7
inter7 vpopmail 3.4.11
inter7 vpopmail 4.6
inter7 vpopmail 4.8
inter7 vpopmail 4.9
inter7 vpopmail 3.4.8
inter7 vpopmail 3.4.9
CVE-2002-1414 MEDIUM

Buffer overflow in qmailadmin allows local users to gain privileges via a long QMAILADMIN_TEMPLATEDIR environment variable.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
inter7 qmailadmin 1.0
inter7 qmailadmin 1.0.3
inter7 qmailadmin 1.0.4
inter7 qmailadmin 1.0.5
inter7 qmailadmin 1.0.2
inter7 qmailadmin 1.0.1
CVE-2003-0040 HIGH

SQL injection vulnerability in the PostgreSQL auth module for courier 0.40 and earlier allows remote attackers to execute SQL code via the user name.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
inter7 courier-imap 1.6
double_precision_incorporated courier_mta 0.37.3
CVE-2004-0224 HIGH

Multiple buffer overflows in (1) iso2022jp.c or (2) shiftjis.c for Courier-IMAP before 3.0.0, Courier before 0.45, and SqWebMail before 4.0.0 may allow remote attackers to execute arbitrary code "when Unicode character is out of BMP range."

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
double_precision_incorporated sqwebmail 3.6.1
double_precision_incorporated sqwebmail 3.6_.0
double_precision_incorporated sqwebmail 3.5.2
double_precision_incorporated courier_mta 0.44.2
gentoo linux 1.4
inter7 courier-imap 2.1.1
inter7 courier-imap 2.1
double_precision_incorporated courier_mta 0.44
double_precision_incorporated courier_mta 0.43
double_precision_incorporated sqwebmail 3.6.2
inter7 courier-imap 1.7
double_precision_incorporated courier_mta 0.43.2
inter7 courier-imap 2.0.0
inter7 courier-imap 1.6
double_precision_incorporated courier_mta 0.43.1
inter7 courier-imap 2.1.2
inter7 courier-imap 2.2.1
inter7 courier-imap 2.2.0
double_precision_incorporated sqwebmail 3.5.3
CVE-2004-0591 MEDIUM

Cross-site scripting (XSS) vulnerability in the print_header_uc function for SqWebMail 4.0.4 and earlier, and possibly 3.x, allows remote attackers to inject arbitrary web script or HRML via (1) e-mail headers or (2) a message with a "message/delivery-status" MIME Content-Type.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
inter7 sqwebmail 4.0.4
CVE-2004-0777 HIGH

Format string vulnerability in the auth_debug function in Courier-IMAP 1.6.0 through 2.2.1 and 3.x through 3.0.3, when login debugging (DEBUG_LOGIN) is enabled, allows remote attackers to execute arbitrary code.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-134,

Products Affected

Vendor Product Version
inter7 courier-imap 1.7
inter7 courier-imap 2.0.0
inter7 courier-imap 1.6
inter7 courier-imap 2.1.1
inter7 courier-imap 2.1.2
inter7 courier-imap 2.1
inter7 courier-imap 2.2.1
inter7 courier-imap 2.2.0
CVE-2004-2313 MEDIUM

Inter7 SqWebMail 3.4.1 through 3.6.1 generates different error messages for incorrect passwords versus correct passwords on non-mail-enabled accounts (such as root), which allows remote attackers to guess the root password via brute force attacks.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
inter7 sqwebmail 3.5.2
inter7 sqwebmail 3.5.3
inter7 sqwebmail 3.6.1
inter7 sqwebmail 3.4.1
inter7 sqwebmail 3.5.1
inter7 sqwebmail 3.6.0
inter7 sqwebmail 3.5.0
CVE-2005-1308 HIGH

SqWebMail allows remote attackers to inject arbitrary web script or HTML via CRLF sequences in the redirect parameter followed by the desired script or HTML.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
inter7 sqwebmail 4.0.5
inter7 sqwebmail 3.5.2
inter7 sqwebmail 3.5.3
inter7 sqwebmail 3.6.1
inter7 sqwebmail 3.4.1
inter7 sqwebmail 3.5.1
inter7 sqwebmail 4.0.4_2004-05-24
inter7 sqwebmail 3.6.0
inter7 sqwebmail 3.5.0
CVE-2005-2724 MEDIUM

Cross-site scripting (XSS) vulnerability in SqWebMail 5.0.4 allows remote attackers to inject arbitrary web script or HTML via a file attachment that is processed by the Display feature. NOTE: the severity of this issue has been disputed by the developer.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
inter7 sqwebmail 4.0.7
inter7 sqwebmail 5.0.0
inter7 sqwebmail 3.4.1
inter7 sqwebmail 3.5.1
inter7 sqwebmail 3.6.0
inter7 sqwebmail 4.0.6
inter7 sqwebmail 5.0.4
inter7 sqwebmail 4.0.5
inter7 sqwebmail 5.0.1
inter7 sqwebmail 3.5.2
inter7 sqwebmail 3.5.3
inter7 sqwebmail 3.6.1
inter7 sqwebmail 4.0.4_2004-05-24
inter7 sqwebmail 3.5.0
CVE-2005-2769 MEDIUM

Cross-site scripting (XSS) vulnerability in SqWebMail 5.0.4 and possibly other versions allows remote attackers to inject arbitrary web script or HTML via an HTML e-mail containing tags with strings that contain ">" or other special characters, which is not properly sanitized by SqWebMail.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
inter7 sqwebmail 5.0.4
CVE-2005-2820 MEDIUM

Cross-site scripting (XSS) vulnerability in SqWebMail 5.0.4 allows remote attackers to inject arbitrary web script or HTML via an e-mail message containing Internet Explorer "Conditional Comments" such as "[if]" and "[endif]".

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
inter7 sqwebmail 5.0.4
CVE-2006-1141 HIGH

Buffer overflow in qmailadmin.c in QmailAdmin before 1.2.10 allows remote attackers to execute arbitrary code via a long PATH_INFO environment variable.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
inter7 qmailadmin 1.2.1
inter7 qmailadmin 1.0.3
inter7 qmailadmin 1.2.0
inter7 qmailadmin 1.0.5
inter7 qmailadmin 1.0.2
inter7 qmailadmin 1.2.7
inter7 qmailadmin 1.0.4
inter7 qmailadmin 1.2.8
inter7 qmailadmin 1.2.9
inter7 qmailadmin 1.0.1
inter7 qmailadmin 1.2.3
inter7 qmailadmin 1.0.6
CVE-2006-2346 HIGH

vpopmail 5.4.14 and 5.4.15, with cleartext passwords enabled, allows remote attackers to authenticate to an account that does not have a cleartext password set by using a blank password to (1) SMTP AUTH or (2) APOP.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
inter7 vpopmail_(vchkpw) 5.4.15
inter7 vpopmail_(vchkpw) 5.4.14